Virus CharacteristicsThis variant of the W32/Rontokbro family will copy itself to the following directories, using the following names:C:\Documents and Settings\[USERNAME]\My Documents\Keuangan.exeC:\Documents and Settings\[USRNAME]\Start Menu\Programs\Startup\Data Uang.exeC:\Documents and Settings\[USERNAME]\Start Menu\Programs\Startup\Excel Optimise.exeC:\WINDOWS\system\System32.exeC:\WINDOWS\system32\Isassi.exeAll the above mentioned filenames will have an Microsoft Excel icon associated with it.This trojan will also hide all Microsoft Excel files in the C:\ driver with the command:

The excel files will not be seeing in a normal explorer environment or at command prompt. Additionaly some executalbe files with the Excel icon will be seeing in some directories.

Other generic characteritics of W32/Rontokbro at :http://vil.nai.com/vil/content/v_136318.htmMethod of InfectionTrojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email spam, etc.Removal InstructionsTo make your Excel files visible again, the following command can be issued on the command prompt:

attrib -h -s -r C:\*.xls /s

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.Mcafee